Hello
I have recently released catchmail - a free (BSD license) open source
Python utility www.users.bigpond.net.au/mysite/catchmail.htm
This script processes in and outbound emails and stores them to a
database.
The source code is here: http://www.users.bigpond.net.au/mysi...t/catchmail.py
It's not a very long script (about 300 lines or so).
I'm quite concerned however about security and I'd like catchmail to be
as secure as possible. What can be done to verify the security of this
script?
I would really value it if any security aware Python guru was able to
review the code from a security perspective. It would be good to
ensure that python or sql code planted in an email or an attachment
could not execute and break out of the script - or that any other
security issue might arise. But how - I don't have anything near the
level of Python expertise required to properly assess this script for
security risk? If someone has the time to do a code review it would be
much appreciated.
Thanks in advance
Andrew Stuart
andrew dot stuart at xse dot com dot au 6  2077 
> I would really value it if any security aware Python guru was able to review the code from a security perspective. It would be good to
ensure that python or sql code planted in an email or an attachment
could not execute and break out of the script - or that any other
security issue might arise. But how - I don't have anything near the
level of Python expertise required to properly assess this script for
security risk? If someone has the time to do a code review it would be
much appreciated.
You can save yourself many concerns by encoding your data in some
fashion that cannot be understood by the database to mean anything. Hex
works well for that.
In terms of general script security, you should be more specific about
what you are worried about.
- Josiah
On Tue, 2004-10-12 at 20:52 -0700, Josiah Carlson wrote: I would really value it if any security aware Python guru was able to
review the code from a security perspective. It would be good to
ensure that python or sql code planted in an email or an attachment
could not execute and break out of the script - or that any other
security issue might arise. But how - I don't have anything near the
level of Python expertise required to properly assess this script for
security risk? If someone has the time to do a code review it would be
much appreciated.
You can save yourself many concerns by encoding your data in some
fashion that cannot be understood by the database to mean anything. Hex
works well for that.
A more straightforward way is to simply use prepare() religiously. This
also avoids the headache of having to decode your data if you use a
different program to access it (such as psql or mysql).
Regards,
Cliff
--
Cliff Wells <cl************ @comcast.net>
On Tue, Oct 12, 2004 at 10:25:58PM -0700, Cliff Wells wrote: [Josiah Carlson requests a security review of his code storing/receiving
email data from a PostgreSQL database]
A more straightforward way is to simply use prepare() religiously.
This also avoids the headache of having to decode your data if you
use a different program to access it (such as psql or mysql).
There's no prepare() in the DB-API. Letting the database module do the
quoting should be enough to stay clear of SQL injection attacks.
And this his code does, from what I can see. The SQL stuff is hard to
read for me, though. Maybe the database access code should be factored
out more and put in a class of its own.
-- Gerhard
On Tue, Oct 12, 2004 at 08:52:31PM -0700, Josiah Carlson wrote: You can save yourself many concerns by encoding your data in some
fashion that cannot be understood by the database to mean anything.
Hex works well for that.
Looks like overkill to me. If you let the DB-API do the quoting (by
providing both SQL statements and parameters to the execute method,
which he does), you're on the safe side IMO.
Using TEXT and VARCHAR fields for emails is the way to go IMO. No need
for any fancy BLOB/BYTEA column types, because emails cannot contain
chr(0) anyway. If you want to search and/or compare, then you should
be aware of possible charset issues, though.
-- Gerhard
On Wed, 2004-10-13 at 16:53 +0200, Gerhard Haering wrote: On Tue, Oct 12, 2004 at 10:25:58PM -0700, Cliff Wells wrote: [Josiah Carlson requests a security review of his code storing/receiving
email data from a PostgreSQL database]
A more straightforward way is to simply use prepare() religiously.
This also avoids the headache of having to decode your data if you
use a different program to access it (such as psql or mysql).
There's no prepare() in the DB-API. Letting the database module do the
quoting should be enough to stay clear of SQL injection attacks.
Ah, right. Too much language switching and not enough sleep (it's
8:00AM here and I haven't seen a bed yet) :P
--
Cliff Wells <cl************ @comcast.net>
Thank you all very much for your helpful comments. I will take them
into account.
A few people credited me here with having written the code. Kind - but
I'm the project lead - not the person who wrote the code. The code was
written by Mark Hammond - that would explain why it is well written.
Thanks again to all for the comments and guidance - most helpful.
Regards
Andrew Stuart
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Darren Dale |
last post by:
I love the language. I love the community. My only complaint is that
Python for Windows is built with Visual Studio.
It is too difficult to build python, or a module, from source. This is
what open source is all about, isnt it? I even have a copy of visual
studio, and I still cant build modules from source, because my academic
copy is...
|
by: Luis M. Gonzalez |
last post by:
I'm confussed...
Python 2.4 (final) hs been released a few days ago, but now I see that
Python 2.3.5 is being worked on.
Why? What does it mean?
|
by: Xah Lee |
last post by:
http://python.org/doc/2.4.1/lib/module-re.html
http://python.org/doc/2.4.1/lib/node114.html
---------
QUOTE
The module defines several functions, constants, and an exception. Some
of the functions are simplified versions of the full featured methods
for compiled regular expressions. Most non-trivial applications always
use the compiled...
|
by: Robert Seacord |
last post by:
The CERT/CC has just deployed a new web site dedicated to developing
secure coding standards for the C programming language, C++, and
eventually other programming language.
We have already developed significant content for the C programming
language that is available at:
https://www.securecoding.cert.org/
by clicking on the "CERT C...
|
by: bcannon |
last post by:
At the beginning of the month the PSF Infrastructure committee
announced that we had reached the decision that JIRA was our
recommendation for the next issue tracker for Python development.
Realizing, though, that it was a tough call between JIRA and Roundup we
said that we would be willing to switch our recommendation to Roundup
if enough...
| | |
by: kyosohma |
last post by:
Hi,
I am trying to get a small group of volunteers together to create
Windows binaries for any Python extension developer that needs them,
much like the package/extension builders who volunteer their time to
create Linux RPMs.
The main thing I need are people willing to test the binaries to make
sure the extension is stable. This would...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
| | |
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |
